Current Available Traces:

SIP

Video over SIP – This is a trace of sending just video to a softphone.
Audio and Video over SIP – This is a trace of sending audio and video to a softphone.
SIP PRACK – This trace is a basic SIP PRACK call flow.

SIP RTP G711 – This trace is a SIP call flow using RTP and the g711 codec.
SMS over SIP – This trace is SIP SMS Message Example.
SIP Unknown URI – A sample trace that demonstrates the call flow for a SIP INVITE with a URI that is not know by the System Under Test (SUT).
SIP Invite to Busy End Point -Here is a SIP call flow to an endpoint that is busy.
SIP Eyebeam to Eyebeam Call – This trace contains two streams, in each direction e.g. SSRC 3554896964 & SSRC 4215298092. One is the voice (BV32) and the other is the video (H.263). The H.263 payload type is dynamic, it starts on 125 and changes to 126.

ISUP over SIP – UK Initiator Responder – This trace captures a send receive call flow of call between two phones using the UK format of ISUP over SIP.

SIP-T

SIP MGC to MGC ISUP -Here is a SIP-T call flow shows an MGC to MGC connection including ISUP messaging.

SIGTRAN

IUA PRA – This is a single SIGTRAN IUA Call in primary access mode.
IUA Keypad Facility – This is a single SIGTRAN IUA Call where there is no called party number (CDPN) included in the setup, but a Keypad Facility is used instead.

IUA Overlap Send – This is another SIGTRAN IUA Call where there is no CDPN, but Information messages are sent until the Max CDPN Length is reached, in this case 10. After the 10th digit, a sending complete flag is sent with the last digit message.
IUA Status Enquiry and Status Reply – This is a status Enquiry sent from then MGC, with a status reply supplied by the MG SG.
ISDN Service Subaddressing.cap – This is a trace showing a test of the ISDN service Sub-addressing. The message contains a Q.931 SETUP with BC, CHI,CGPN, CDPN, CGPNS(sub-address calling) and CDPNS (sub-address called) elements.
TCAP MAP – This trace contains a MAP message contained in SIGTRAN SUA.

MEGACO

Establish Connection – Wait for a ServiceChangeReq, then send a response to establish the connection between the tester and the Media Gateway, in this example, an AudioCodes Gateway.
AuditValue Test #1 – This is an audit of a Single Termination within a context.
AuditValue Test #2 – This is an audit of Matching Terminations within a context.
AGW Complete Call Flow – This was taken with Valid8.com tester against Audiocodes MP-104 analog media gateway. It includes registration with an MGC, initializing of the lines, RTP, MGC re-initialization.

Megaco Traffic Management & Diff Serve Packages – This trace shows two MEGACO Modify messages that show how to correctly encode additional MEGACO Packages, TMAN and DSP
MEGACO H.248 AD BV 1 2 3 6 7 – This was taken with Valid8.com tester against Audiocodes MP-104 analog
media gateway. Passes the following tests:
- Registration – MG registering with MGC
- test H248_MG_AD_BV_01
- test H248_MG_AD_BV_02

- test H248_MG_AD_BV_04
- test H248_MG_AD_BV_06
- test H248_MG_AD_BV_07
H248 Megaco over SCTP example call flow – As the filename suggests, just a simple H.248 Megaco call over SCTP.

SCTP

SCTP Handshake DATA SACK chunks – This is an SCTP Handshake example trace with DATA/SACK chunks.
SCTP Reinitialize – This shows the SCTP connection that needed to be reintialized. That is why there is a Shutdown present in this trace.

SCTP.cap – This trace contains Sample SCTP PDUs.
SCTP-test.cap – This trace contains sample SCTP handshaking and DATA/SACK chunks.
SCTP-Add-IP.cap – Here are sample SCTP ASCONF/ASCONF-ACK Chunks that perform Vertical Handover.
SCTP-WWW.cap – Sample SCTP DATA Chunks that carry HTTP messages between Apache2 HTTP Server and Mozilla.

SSL

TLS Handshake – This trace shows a complete and successful TLS Handshake example.
TLS Decrypt Error – This trace shows an incomplete TLS Handshake which fails because of a decryption error. This happens often when there are certificate mismatches.

H.323

H323 H225 SETUP E164 1
H323 H225 TerminalCapabilitySetAck 1
H323 H225 H245 TerminalCapabilitySetReject
H323 H225 H245 MasterSlaveDeterminationAck

H323 H225 H245 MasterSlaveDeterminationAck2
H323 H225 FastStart Call

IPV6

SIP_IPv6 – Here is an example of a SIP call over IPv6. I have also uploaded this trace in IPv4, for comparison. That can be found here. For even further comparison, here is the same call flow run against an SJPhone.

M3UA

M3UA Traffic Generation Messaging at MGC – Illustrates traffic generation of m3ua messages with a media gateway controller
M3UA Traffic Generation Messaging at MG – Illustrates traffic generation of m3ua messages with a media gateway signalling gateway

M2PA

M2PA Unexpected Level 3 Request – This trace shows the M2PA Link Status of an unexpected Level 3 Request. (Processor Outage, Busy, Busy Ended, Ready)

MGCP

MGCP_Demo_Example – Here is a sample MGCP call flow between MGC and MG.

Crack Attempts

teardrop.cap Packets 8 and 9 show the overlapping IP fragments in a Teardrop attack.
ftp-guesspassword.cap – FTP Breakin Attempt – Guessing Passwords.
portscan.cap – Portscan Hacker Recon Probe.
SMBattack.pcap – DCE/RPC attack on a windows 2000 server. Fragmented, with overwrites.
mitm-attack.pcap – Massive Man-In-The-Middle attack. Seems to be ettercap activity. Intel NIC is on router.
tcp-syn-attack.cap – TCP-SYN Attack.
mysql_worm.pcap – Microsoft SQL Server 2000 Resolution Service Stack Overflow Vulnerability Exploit Attempt
hotel-badnetwork.cap – Hotel with DNS Problems.

zlip-1.pcap – DNS exploit, endless, pointing to itself message decompression flaw.
zlip-2.pcap – DNS exploit, endless cross referencing at message decompression.
zlip-3.pcap – DNS exploit, creating a very long domain through multiple decompression of the same hostname, again and again.
can-2003-0003.pcap Attack for CERT advisory CA-2003-03

Bluetooth

l2ping.cap – This trace contains some Bluetooth packets captured using hcidump, the packets were from the l2ping command that’s included with the Linux BlueZ stack.
Bluetooth1.cap – This trace contains some Bluetooth packets captured using hcidump.

Virus’s and Worms

Slammer.pcap – Slammer worm sending a DCE RPC packet.
ConfickerB9hrs.pcap – Conficker.B capture, WinXP SP2 unpatched, 9 hours on lab network with 1 non-Windows device + router. Includes the worm’s external IP discovery, and SMB scan.
lovsan-infection.cap – Lovsan Worm Infection.
DNS-remoteshell.pcap – Watch frame 22 Wireshark detecting DNS Anomaly caused by remoteshell riding on DNS port – DNS Anomaly detection made easy by Wireshark

Mobile

Coming Soon